What should a SysOps administrator do to configure the S3 bucket policy statement?

By:
In: SOA-C01
Tagged:
With: 1 Comment
A company wants to store sensitive data in Amazon S3.The S3 bucket and its contents must be accessible only from the on-premises corporate network.

What should a SysOps administrator do to configure the S3 bucket policy statement?

Use a Deny effect with a condition based on the aws:sourceVpc key.

Use a Deny effect with a condition based on the NotIpAddress key.

Use an Allow effect with a condition based on the IpAddress key.

Use an Allow effect with a condition based on the s3:LocationConstraint key.

Explanations:

Theaws:sourceVpckey is used to specify conditions based on the source VPC for AWS services like EC2, not for restricting access from on-premises networks.

TheNotIpAddresskey would deny access from all IPs except those specified, but this doesn’t align with the requirement to restrict access to only the corporate network’s IPs.

TheIpAddresskey with anAlloweffect allows access only from specific IP addresses (in this case, the corporate network’s IPs), making this the correct solution for the requirement.

Thes3:LocationConstraintkey specifies the AWS region for the S3 bucket, not access restrictions based on network IPs.

2025-10-05

1 Comment

  1. Cheryl
    Author

    I map out that the answer is:
    Use an Allow effect with a condition based on the IpAddress key.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 − two =